Sherman's Security Blog
I am Sherman Hand. (also known as Policysup) I have created this blog and will use a part of my day to write about what is going on in the world. I hope to discuss things in a down to earth and practical way. I hope to hear back from you on your thoughts. I do not in any way intend to speak for my employer. The content of this blog will be either opinions that are strictly mine, general observations,re posts, or information that is already in the public domain.

The feared CryptoLocker ransom Trojan has infected at least a quarter of a million PCs worldwide, a success rate probably generating somewhere in the low millions of dollars in ransom payments, a new analysis by Dell SecureWorks has estimated.

Alarming reports of the chaos sown by CryptoLocker have been easy to come by, less so hard numbers about the scale of what has surely been the malware story of 2013.

Offering some of the first data, Dell SecureWorks recorded 31,866 infected PCs contacting sinkholed command and control servers between Oct. 22 and Nov. 1 alone, over 22,000 of which were in the U.S. with around 1,700 in the U.K.

Carrying out the same exercise between Dec. 9-16 , the number of infected PCs had fallen to only 6,459, a fall attributed mainly to a lower level of activity by the botnets pushing the malware.

From these numbers, the firm calculated that in the first 100 days of its activity from mid-September, CryptoLocker managed to infect between 200,000 and 250,000 PCs globally, disproportionately in English-speaking countries.

This brings Dell SecureWorks to the issue of how much money the criminals have made from CryptoLocker.

Based on bitcoin payments connected to ransoms, Dell Secureworks estimates that between September and December the sums extorted were between $380,000 and $980,000 in value, depending on how long the virtual currency was held for.

Because this excludes ransoms paid using other channels such as MoneyPak — most of the sums extorted Dell believes — the real damage had to be much higher than this, the firm said.

“These figures represent a conservative estimate of the number of ransoms collected by the CryptoLocker gang,” said Dell SecureWorks’ researchers.

“Based on this information and measurements of infection rates, CTU researchers estimate a minimum of 0.4 percent, and very likely many times that, of CryptoLocker victims are electing to pay the ransom.”

Many of the victims of CryptoLocker’s shakedown have been small businesses rather than consumers; from its first appearance the malware targeted SMEs using subject lines such as ‘consumer complaint’ to engineer employees into opening attachments, the firm said.

As this target field became exhausted, the criminals had shifted, probably reluctantly, to less profitable home users. Today, the waxing and waning of CryptoLocker corresponded to activity on botnets used to distribute it, such as Cutwail.

According to Dell, its creators were almost certainly seasoned in malware campaigns that appear to have made sound design decisions that complicate efforts to mitigate this threat and have demonstrated a capable distribution system based on the Cutwail and Gameover Zeus botnets.”